• Michael Scott's avatar
    6lowpan: iphc: reset mac_header after decompress to fix panic · 03bc05e1
    Michael Scott authored
    After decompression of 6lowpan socket data, an IPv6 header is inserted
    before the existing socket payload.  After this, we reset the
    network_header value of the skb to account for the difference in payload
    size from prior to decompression + the addition of the IPv6 header.
    
    However, we fail to reset the mac_header value.
    
    Leaving the mac_header value untouched here, can cause a calculation
    error in net/packet/af_packet.c packet_rcv() function when an
    AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
    interface.
    
    On line 2088, the data pointer is moved backward by the value returned
    from skb_mac_header().  If skb->data is adjusted so that it is before
    the skb->head pointer (which can happen when an old value of mac_header
    is left in place) the kernel generates a panic in net/core/skbuff.c
    line 1717.
    
    This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
    802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
    sources for compression and decompression.
    Signed-off-by: default avatarMichael Scott <michael@opensourcefoundries.com>
    Acked-by: default avatarAlexander Aring <aring@mojatatu.com>
    Acked-by: default avatarJukka Rissanen <jukka.rissanen@linux.intel.com>
    Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    03bc05e1
iphc.c 36.7 KB